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Warnings 


■  Do  not  attempt  to  implement  any  of  the  settings  in  this  guide  without  first 
testing  in  a  non-operational  environment. 

■  This  document  is  only  a  guide  containing  recommended  security  settings.  It  is  not 
meant  to  replace  well-structured  policy  or  sound  judgment.  Furthermore  this  guide 
does  not  address  site-specific  configuration  issues.  Care  must  be  taken  when 
implementing  this  guide  to  address  local  operational  and  policy  concerns. 

■  The  security  changes  described  in  this  document  only  apply  to  Microsoft  Windows 
2000  systems  and  should  not  be  applied  to  any  other  Windows  2000  versions  or 
operating  systems. 

■  SOFTWARE  IS  PROVIDED  "AS  IS"  AND  ANY  EXPRESS  OR  IMPLIED 
WARRANTIES,  INCLUDING,  BUT  NOT  LIMITED  TO,  THE  IMPLIED  WARRANTIES 
OF  MERCHANTABILITY  AND  FITNESS  FOR  A  PARTICULAR  PURPOSE  ARE 
EXPRESSLY  DISCLAIMED.  IN  NO  EVENT  SHALL  THE  CONTRIBUTORS  BE 
LIABLE  FOR  ANY  DIRECT,  INDIRECT,  INCIDENTAL,  SPECIAL,  EXEMPLARY,  OR 
CONSEQUENTIAL  DAMAGES  (INCLUDING,  BUT  NOT  LIMITED  TO, 
PROCUREMENT  OF  SUBSTITUTE  GOODS  OR  SERVICES;  LOSS  OF  USE, 
DATA,  OR  PROFITS;  OR  BUSINESS  INTERRUPTION)  HOWEVER  CAUSED  AND 
ON  ANY  THEORY  OF  LIABILITY,  WHETHER  IN  CONTRACT,  STRICT  LIABILITY, 
OR  TORT  (INCLUDING  NEGLIGENCE  OR  OTHERWISE)  ARISING  IN  ANY  WAY 
OUT  OF  THE  USE  OF  THIS  SOFTWARE,  EVEN  IF  ADVISED  OF  THE 
POSSIBILITY  OF  SUCH  DAMAGE. 

■  This  document  is  current  as  of  April  6,  2001 .  See  Microsoft's  web  page 
http://www.microsoft.com/  for  the  latest  changes  or  modifications  to  the  Windows 
2000  operating  system. 
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Trademark  Information 


Microsoft,  MS-DOS,  Windows,  Windows  2000,  Windows  NT,  Windows  98,  Windows  95, 
Windows  for  Workgroups,  and  Windows  3.1  are  either  registered  trademarks  or 
trademarks  of  Microsoft  Corporation  in  the  U.S.A.  and  other  countries. 

All  other  names  are  registered  trademarks  or  trademarks  of  their  respective  companies. 


UNCLASSIFIED 


V 


UNCLASSIFIED 


This  Page  Intentionally  Left  Blank 


VI 


UNCLASSIFIED 


UNCLASSIFIED 


Table  of  Contents 


Warnings . iii 

Trademark  Information . v 

Table  of  Contents . vii 

Table  of  Figures . viii 

Introduction . 1 

Getting  the  Most  from  this  Guide . 1 

About  the  Guide  to  Using  DoD  PKI  Certificates  in  Outlook  2000  . 1 

Outlook  2000  Certificate  Configuration . 3 

DoD  PKI  Certificates . 3 

Suppress  Name  Checking . 3 

Choose  the  DoD  PKI  Certificates . 3 

Enable  Service  Release  Features . 5 

Get  and  Check  the  CRL . 5 

References . 7 


UNCLASSIFIED 


VII 


UNCLASSIFIED 


Table  of  Figures 


Figure  1  --  Dialog  Boxl  . 4 

Figure  2  --  Dialog  Box2 . 5 


viii 


UNCLASSIFIED 


UNCLASSIFIED 


Introduction 

The  purpose  of  this  guide  is  to  provide  detailed  information  on  the  configuration  of  Office 
2000  in  order  to  permit  the  use  of  DoD  PKI  Certificates  and  the  checking  of  Certificate 
Revocation  Lists  (CRLs). 


Getting  the  Most  from  this  Guide 


The  following  list  contains  suggestions  to  successfully  use  the  Guide  to  Using  DoD  PKI 
Certificates  in  Outlook  2000: 

6  WARNING:  This  list  does  not  address  site-specific  issues 
and  every  setting  in  this  book  should  be  tested  on  a  non- 
operational  network. 

□  Read  the  guide  in  its  entirety.  Omitting  or  deleting  steps  can  potentially  lead  to 
an  unstable  system  and/or  network  that  will  require  reconfiguration  and 
reinstallation  of  software. 

□  Perform  pre-configuration  recommendations: 

□  Perform  a  complete  backup  of  your  system  before  implementing  any  of 
the  recommendations  in  this  guide. 

□  Ensure  that  the  latest  Windows  2000  service  pack  and  hotfixes  have 
been  installed.  For  further  information  on  critical  Windows  2000  updates, 
see  the  Windows  Update  for  Windows  2000  web  page. 

□  Follow  the  security  settings  that  are  appropriate  for  your  environment. 


About  the  Guide  to  Using  DoD  PKI  Certificates  in  Outlook  2000 


This  document  consists  of  the  following  chapters: 

Chapter  1,  “Outlook  2000  Certificate  Configuration,”  contains  information  on 
configuring  DoD  PKI  certificates,  suppressing  name  checking,  enabling  service  release 
features,  and  checking  Certificate  Revocation  Lists  (CRLs). 

Appendix  A,  “References,”  contains  a  list  of  resources  cited. 
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Chapter 

1 


Outlook  2000  Certificate  Configuration 

Previous  versions  of  Outlook  are  compatible  with  S/MIME  version  2.  In  S/MIME  version 
2,  certificates  for  email  are  required  to  have  the  correct  email  address  in  the  certificate.  In 
S/MIME  version  3,  the  email  address  is  not  required  to  be  in  the  certificate.  Microsoft 
Outlook  2000  can  be  configured  to  conform  to  S/MIME  version  3  and  use  any  valid 
certificate  for  email.  In  addition,  Outlook  2000  can  be  configured  to  check  Certificate 
Revocation  Lists  (CRLs)  for  the  entire  certificate  chain  of  an  email  certificate.  This  paper 
shows  the  changes  that  need  to  be  made  to  the  configuration  of  Office  2000  to  permit  the 
use  of  DoD  PKI  Certificates  and  the  checking  of  CRLs. 


DoD  PKI  Certificates 


The  DoD  PKI  intends  to  issue  two  certificates  to  all  users  -  one  certificate  to  be  used  for 
encryption  and  one  to  be  used  for  signing.  These  certificates  will  not  contain  any  user 
information  that  changes  frequently.  The  email  address  of  the  user,  for  instance,  will  not 
be  in  the  certificate.  Both  of  these  certificates  are  used  for  email,  one  to  sign  outgoing 
messages  and  one  to  decrypt  incoming  encrypted  email.  The  certificates  will  contain  an 
extension  called  the  Certificate  Revocation  List  Distribution  Point  (CDP).  This  extension 
should  contain  a  URL  that  is  used  to  obtain  the  latest  CRLs  from  the  DoD. 


Suppress  Name  Checking 


To  use  a  certificate  without  an  email  address  in  Outlook  2000,  you  need  to  have  your 
system  administrator  add  the  following  registry  key: 

HKEY_LOCAL_MACHINE/ SOFTWARE /Micros oft /Of f ice/ 9 . 0 /Out look/Security 

Then  add  a  new  DWORD  value  called  SupressNameChecks  and  set  it  to  0x1.  The 
conscientious  spellers  out  there  will  want  to  note  the  misspelling  of  the  word  Supress  in 
this  key.  Make  sure  that  it  is  spelled  exactly  as  above  (with  only  one  p  in  Supress).  This 
will  allow  the  use  of  certificates  without  the  email  address  check  being  applied. 


Choose  the  DoD  PKI  Certificates 


To  use  your  DoD  PKI  Certificates  to  sign  and  receive  encrypted  email  (See  Figure  1): 

□  Open  Outlook  2000 

□  Click  on  the  Tools  menu  and  select  Options. 
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Outlook  2000 
Certificate  Confiauration 


Outlook  2000 
Certificate  Confiouration 


UNCLASSIFIED 


□  Select  the  Security  tab 

□  Click  on  the  Settings  button. 

□  Click  on  the  New  button  to  create  a  new  set  of  security  settings.  Give  the  setting 
a  name.  If  you  wish  to  use  this  setting  as  default  for  all  email  messages,  check 
the  default  buttons. 

□  Use  the  Choose  button  to  select  the  certificates  to  be  used  for  signing  and 
encryption.  In  this  window  you  should  also  choose  SHA1  as  the  hash  and  3DES 
for  encryption.  These  certificates  will  now  be  used  to  sign  and  encrypt  your  email. 


Figure  1  -  Changing  the  Security  Settings  Dialog  Box 

For  any  given  message  that  you  are  sending,  you  can  check  that  these  settings  are  the 
ones  being  applied  to  the  message  (See  Figure  2): 

□  In  the  message  composition  window  under  the  File  menu,  choose  Properties. 

□  Select  the  Security  tab.  Choose  the  Security  Setting  that  you  created  using  the 
window  above.  IVhke  sure  that  you  have  chosen  to  encrypt  and/or  sign  the 
message. 
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Figure  2  -  Checking  Security  Setting  Dialog  Box 


Enable  Service  Release  Features 


Outlook  can  be  configured  to  display  more  information  about  the  certificates  being  used 
in  the  email  tool.  Specifically,  the  status  of  the  CRLs  for  the  certificates  can  be  displayed. 
To  enable  these  extra  security  displays,  you  need  to  have  your  system  administrator  edit 
the  following  registry  key: 

HKEY_LOCAL_MACHINE/ SOFTWARE/Microsoft/ Office/ 9 . 0 /Out look/Security 

Then  add  a  new  DWORD  value  called  EnabieSRFeatures,  and  set  it  to  Oxi.  Once  this 
setting  is  added,  you  will  see  that  the  displays  of  information  are  different  when  you  click 
on  either  the  certificate  icon  or  the  lock  icon  on  any  signed  or  encrypted  email. 


Get  and  Check  the  CRL 


Outlook  does  not  currently  download  the  CRL  without  some  modification  to  the  registry. 
The  system  administrator  needs  to  add  the  following  registry  key: 

HKEY_LOCAL_MACHINE \ SOFTWARE /Microsoft \Cryptography\ { 7801ebd0- 
cf4b-lld0-851f-0060979387ea} 
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Outlook  2000 
Certificate  Confiauration 


Outlook  2000 
Certificate  Confiouration 
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Then  add  a  new  DWORD  value  called  PolicyFlags  and  set  it  to  OxOOOlOOOO.  This 
causes  Outlook  to  actually  download  the  CRL  Verify  that  the  CRL  was  downloaded  by 
opening  Internet  Explorer  and  performing  the  following  steps: 

□  In  the  Internet  Explorer  menu,  select  Tools  ->  Options 

□  Click  the  General  tab 

□  Click  Settings.  This  will  present  you  with  another  dialog  box. 

□  Select  View  Files  and  you  should  see  the  CRLs  in  the  Temporary  Internet  Files. 

Unfortunately,  the  Outlook  2000  display  still  indicates  that  the  CRL’s  were  not  checked. 
To  get  the  results  of  the  CRL  checking  displayed  by  the  Outlook  software,  you  must  also 
apply  a  hotfix.  The  number  of  the  hotfix  is  Q269784,  but  you  must  obtain  it  by  directly 
contacting  Microsoft. 
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Append* 

A 


Microsoft’s  Web  Page,  http://www.microsoft.com/ 

Windows  Update  for  Windows  2000  Web  Page, 

http://www.microsoft.com/windows2000/downloads/default.asp 
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